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DETAILED ACTION 

1 . This Office Action is response to Applicants' Amendment filed 8/30/2006. 

2. Claims 1-37 are pending in this application. 



Claim Rejections - 35 (JSC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

4. Claims 1-37 are rejected under 35 U.S.C. 102(b) as being anticipated by Damiani 
et al. ("A Fine Grained Access Control System for XML Documents", Published May 
2002 in "ACM Transactions on Information and System Security", Vol. 5, No. 2, Pages 
169-202). 

As per claim 1, Damiani teaches "A method for controlling access to structured 
documents" (see Introduction, pg. 171) 

"a) providing an access control policy for a structured document comprising a 
plurality of nodes, wherein the access control policy comprises a plurality of access 
control rules;" (pg. 183, section 5.1 "Basic Features of the Access Authorizations", 
wherein access authorization rules determine whether a user has access to objects) 

"b) generating a path for each of the plurality of nodes in the structured 
document;" (pg. 174, Example 2.1 and Figure 1(a), wherein the DTD of an XML 
document shows path information) 
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"and c) generating value expression for each path based on at least one of the 
plurality of access control rules," (pg. 186, Section 5.2 "Access Authorization" and 
Figure 5, wherein access authorizations express the requirement of access for each 
path of the object) "wherein the value expression is an executable statement utilized 
during access control evaluation to determine whether a user is allowed to access a 
node in the structured document." (pg. 186, Example 5.1, Figure 5, and Algorithm 6, 
wherein the "Sign" column indicates the authorization for objects, as indicated by a path 
expression, that a user holds, as indicated in the subject column. A user is given 
authorization after Algorithm 6 is executed, determining the view returned to a given 
user accessing an object) 

As per claim 2, Damiani teaches "the value expression indicates who is granted 
or denied access to the corresponding path associated with the node." (pg. 186, 
Example 5.1 and Figure 5, wherein the "Sign" column of the access authorization table 
indicates the subjects who are granted or denied access to each path expression 
associated with an object) 

As per claim 3, Damiani teaches "(d) storing each path and the corresponding 
value expression in a table." (pg. 186, Figure 5, wherein the access authorizations are 
kept in a table) 

As per claim 4, Damiani teaches "(e) compiling each value expression prior to 
storing step (d)" (pg. 186, Example 5.1, wherein each access authorization is compiled 
and collected prior to placement in the table) 
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As per claim 5, Damiani teaches "(f) receiving a query from a user, wherein the 
query requests access to a node in the document;" (pg. 192, Example 6.1 lines 1-4, 
wherein a query from a user is received) "(g) executing the query;" (pg. 192, Example 
6.1 lines 6-8, wherein the query is executed) "(h) evaluating the value expression 
corresponding to the path associated with the requested node;" (pg. 187, section 6.1 
"Document Tree Labeling" and Figure 8, wherein the requested objects access 
authorization is examined and evaluated compared to the user id) "(i) displaying data 
associated with the requested node if the value expression grants access to the user;" 
(pg. 192, Example 6.1 lines 14-21 and Figure 9(a) and 9(b), wherein the data is 
displayed showing accessible objects) "and (j) hiding data associated with the 
requested node if the value expression denies access to the user." (pg. 192, Example 
6.1 lines 14-21 and Figure 9(a) and 9(b), wherein the data is displayed hiding denied 
objects) 

As per claim 6, Damiani teaches "the evaluating step (h) is performed during a 
run time." (pg. 188, section 6.1 "Document Tree Labeling", wherein the authorizations' 
behavior varies from different requesters at runtime) 

As per claim 7, Damiani teaches "wherein generating step (c) further comprises: 
(c1) normalizing each of the access control rules into a format comprising a head, a 
path and a condition, wherein the condition indicates who is granted or denied access to 
the path and under what circumstances;" (pg. 186, Example 5.1 and Figure 5, wherein 
the access authorization includes a subject, a path expression and a sign that indicated 
the condition) "(c2) propagating each of the plurality of access control rules through 
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each path such that access to each path is defined by at least one access control rule;" 
(pg. 183, section 5.1 "Basic Features of the Access Authorizations" paragraph 2, 
wherein the authorizations can be recursive, propagating through the paths) "and (c3) 
transforming each of the at least one access control rules affecting each path into a 
statement indicating who is granted and denied access to the path. (pg. 183, section 5.1 
"Basic Features of the Access Authorizations" paragraph 3, wherein the authorizations 
are indicative of who is granted or denied access, including groups) 

As per claim 8, Damiani teaches "(e) replacing the value expression for a path 
associated with a node with a reference notation if the value expression is identical to 
that for a path associated with the node's parent, thereby eliminating repeated value 
- expressions in the table." (pg. 183, section 5.1 "Basic Features of the Access 
Authorizations" paragraph 2 lines 9-13, wherein recursive propagation of the 
authorizations applies to all descendant objects until overridden by a conflicting sign) 

As per claim 9, Damiani teaches "the providing step (a) comprises: (a1) writing 
the plurality of access control rules; and (a2) validating the plurality of access control 
rules such that the resulting rules are syntactically and logically valid." (pg. 180, section 
4 "Authorization Objects", wherein the authorizations are written and validated) 

As per claim 10, Damiani teaches "the structured document is written in 
Extensible Markup Language, (pg. 176 paragraph 2 and Figures 1-2, wherein 
documents are in XML format) 
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As per claim 11, Damiani teaches "A computer readable medium encoded with 
a computer program for controlling access to a structured document" (see Introduction, 
pg. 171). For the remaining steps of this claim applicant(s) is/are directed to the remarks 
and discussions made in claim 1 above. 

As per claims 12-20, these claims teach the limitations covering the same 
grounds as rejected claims 2-10, as discussed above, and are similarly rejected. 

As per claim 21, Damiani teaches "A computer system for controlling access to 
a structured document," (see Introduction, pg. 171) 

"a database management system implemented on the computer system, the 
database management system comprising" (pg. 199, section 8.3 "The Java 
Implementation") 

"an access control policy for a structured document, wherein the structured 
document comprises a plurality of nodes and the access control policy comprises a 
plurality of access control rules," (pg. 183, section 5.1 "Basic Features of the Access 
Authorizations", wherein access authorization rules determine whether a user has 
access to objects) 

"and an access control mechanism configured to: generate a path for each of the 
plurality of nodes in the structured document" (pg. 174, Example 2.1 and Figure 1(a), 
wherein the DTD of an XML document shows path information) 

"and generate a value expression for each path based on at least one of the 
plurality of access control rules," (pg. 186, Section 5.2 "Access Authorization" and 
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Figure 5, wherein access authorizations express the requirement of access for each 
path of the object) 

"wherein the value expression is an executable statement utilized by the 
database management system during access control evaluation to determine whether a 
user is allowed to access a node in the structured document." (pg. 186, Example 5.1, 
Figure 5, and Algorithm 6, wherein the "Sign" column indicates the authorization for 
objects, as indicated by a path expression, that a user holds, as indicated in the subject 
column. A user is given authorization after Algorithm 6 is executed, determining the 
view returned to a given user accessing an object) 

As per claim 22, Damiani teaches "the value expression indicates who is 
granted or denied access to the corresponding path associated with the node." (pg. 186, 
Example 5.1 and Figure 5, wherein the "Sign" column of the access authorization table 
indicates the subjects who are granted or denied access to each path expression 
associated with an object) 

As per claim 23, Damiani teaches " the Access Control mechanism is configured 
to store each path and the corresponding value expression in a table." (pg. 186, Figure 
5, wherein the access authorizations are kept in a table) 

As per claim 24, Damiani teaches "a compiler configured to compile each value 
expression prior to storage of the value expression in the table." (pg. 186, Example 5.1, 
and Algorithm 6, wherein each access authorization is compiled and collected prior to 
placement in the table) 
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As per claim 25, Damiani teaches "the database management system is 
configured to receive a query from a user, wherein the query requests access to a node 
in the document," (pg. 192, Example 6.1 lines 1-4, wherein a query from a user is 
received) "to execute the query," (pg. 192, Example 6.1 lines 6-8, wherein the query is 
executed) "to evaluate the value expression corresponding to the path associated with 
the requested node," (pg. 187, section 6.1 "Document Tree Labeling" and Figure 8, 
wherein the requested object's access authorization is examined and evaluated 
compared to the user id) "to display data associated with the requested node if the 
value expression grants access to the user," (pg. 192, Example 6.1 lines 14-21 and 
Figure 9(a) and 9(b), wherein the data is displayed showing accessible objects) "and to 
hide data associated with the requested node if the value expression denies access to 
the user." (pg. 192, Example 6.1 lines 14-21 and Figure 9(a) and 9(b), wherein the data 
is displayed hiding the denied objects) 

As per claim 26, Damiani teaches "access control evaluation is performed 
during a run time." (pg. 188, section 6.1 "Document Tree Labeling", wherein the 
authorizations' behavior varies from different requesters at runtime) 

As per claim 27, Damiani teaches "a translator for normalizing each of the 
access control rules into a format comprising a head, a path and a condition, wherein 
the condition indicates who is granted or denied access to the path," (pg. 186, Example 
5.1 and Figure 5, wherein the access authorization includes a subject, a path 
expression and a sign that indicated the condition) "and for propagating each of the 
plurality of access control rules through each path such that access to each path is 
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defined by at least one access control rule;" (pg. 183, section 5.1 "Basic Features of the 
Access Authorizations" paragraph 2, wherein the authorizations can be recursive, 
propagating through the paths) "and a value expression generator for transforming each 
of the at least one access control rules associated with each path into a statement 
indicating who is granted and denied access to the path." (pg. 183, section 5.1 "Basic 
Features of the Access Authorizations" paragraph 3, wherein the authorizations are 
indicative of who is granted or denied access, including groups) 

As per claim 28, Damiani teaches "the access control rules are syntactically and 
logically valid." (pg. 180, section 4 "Authorization Objects", wherein the authorizations 
use a standard language, XPath, for validation) 

As per claim 29, Damiani teaches "the structured document is written in 
Extensible Markup Language." (pg. 176 paragraph 2 and Figures 1-2, wherein 
documents are in XML format) 

As per claim 30, Damiani teaches "A method for controlling access to structured 
documents" (see Introduction, pg. 171) 

"a) providing an access control policy for a structured document comprising a 
plurality of nodes, wherein the access control policy comprises a plurality of access 
control rules;" (pg. 183, section 5.1 "Basic Features of the Access Authorizations", 
wherein access authorization rules determine whether a user has access to objects) 
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"b) generating a path for each of the plurality of nodes in the structured 
document;" (pg. 174, Example 2.1 and Figure 1(a), wherein the DTD of an XML 
document shows path information) 

"and c) generating value expression for each path based on at least one of the 
plurality of access control rules," (pg. 186, Section 5.2 "Access Authorization" and 
Figure 5, wherein access authorizations express the requirement of access for each 
path of the object) "wherein the value expression is an executable statement utilized 
during access control evaluation to determine whether a user is allowed to access a 
node in the structured document." (pg. 186, Example 5.1, Figure 5, and Algorithm 6, 
wherein the "Sign" column indicates the authorization for objects, as indicated by a path 
expression, that a user holds, as indicated in the subject column. A user is given 
authorization after Algorithm 6 is executed, determining the view returned to a given 
user accessing an object) 

"and (d) storing each path and the corresponding value expression in a table;" 
(pg. 186, Figure 5, wherein the access authorizations are kept in a table) "wherein the 
corresponding value expression is utilized during access control evaluation to determine 
whether a user is allowed to access a node in the structured document." (pg. 186, 
Example 5.1, Figure 5, Algorithm 6, wherein the "Sign" column indicates the subjects 
who are granted access to each path expression associated with an object, used in the 
evaluation of views directed at a user) 
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As per claim 31, Damiani teaches "(e) receiving a query from a user, wherein 
the query requests access to a node in the document;" (pg. 192, Example 6.1 lines 1-4, 
wherein a query from a user is received) 

"(f) executing the query;" (pg. 192, Example 6.1 lines 6-8, wherein the query is 
executed) 

"(g) evaluating the value expression corresponding to the path associated with 
the requested node during a run time;" (pg. 187, section 6.1 "Document Tree Labeling" 
and Figure 8, wherein the requested objects access authorization is examined and 
evaluated compared to the user id) 

"(h) displaying data associated with the requested node if the value expression 
grants access to the user;" (pg. 192, Example 6.1 lines 14-21 and Figure 9(a) and 9(b), 
wherein the data is displayed showing accessible objects) 

"and (i) hiding data associated with the requested node if the value expression 
denies access to the user." (pg. 192, Example 6.1 lines 14-21 and Figure 9(a) and 9(b), 
wherein the data is displayed hiding denied objects) 

As per claim 32, Damiani teaches "generating step (c) further comprises: (c1) 
normalizing each of the access control rules into a format comprising a head, a path 
and a condition, wherein the condition indicates who is granted or denied access to the 
path and under what circumstances;" (pg. 186, Example 5.1 and Figure 5, wherein the 
access authorization includes a subject, a path expression and a sign that indicated the 
condition) 
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"(c2) propagating each of the plurality of access control rules through each path 
such that access to each path is defined by at least one access control rule;" (pg. 183, 
section 5.1 "Basic Features of the Access Authorizations" paragraph 2, wherein the 
authorizations can be recursive, propagating through the paths) 

"and (c3) transforming each of the at least one access control rules affecting 
each path into a statement indicating who is granted and denied access to the path." 
(pg. 183, section 5.1 "Basic Features of the Access Authorizations" paragraph 3, 
wherein the authorizations are indicative of who is granted or denied access, including 
groups) 

As per claim 33, Damiani teaches "A computer readable medium containing 
programming instructions for providing path-level access control to a structured 
document in a collection stored in a database, wherein the structured document 
comprises a plurality of nodes," (see Introduction, pg. 171). For the remaining steps of 
this claim applicant(s) is/are directed to the remarks and discussions made in claim 30 
above. 

As per claims 34-35, these claims teach the limitations covering the same 
grounds as rejected claims 31-32, as discussed above, and are similarly rejected. 



As per claim 36, Damiani teaches "A method for controlling access to structured 
documents" (see Introduction, pg. 171) 



Application/Control Number: 1 0/651 ,691 Page 1 3 

Art Unit: 2168 

"a) providing an access control policy for a structured document comprising a 
plurality of nodes, wherein the access control policy comprises a plurality of access 
control rules;" (pg. 183, section 5.1 "Basic Features of the Access Authorizations", 
wherein access authorization rules determine whether a user has access to objects) 

"b) generating a path for each of the plurality of nodes in the structured 
document;" (pg. 174, Example 2.1 and Figure 1(a), wherein the DTD of an XML 
document shows path information) 

"and c) generating value expression for each path based on at least one of the 
plurality of access control rules," (pg. 186, Section 5.2 "Access Authorization" and 
Figure 5, wherein access authorizations express the requirement of access for each 
path of the object) 

"wherein the generating step comprising: (c1) normalizing each of the access 
control rules into a format comprising a head, a path and a condition, wherein the 
condition indicates who is granted or denied access to the path and under what 
circumstances;" (pg. 186, Example 5.1 and Figure 5, wherein the access authorization 
includes a subject, a path expression and a sign that indicated the condition) "(c2) 
propagating each of the plurality of access control rules through each path such that 
access to each path is defined by at least one access control rule;" (pg. 183, section 5.1 
"Basic Features of the Access Authorizations" paragraph 2, wherein the authorizations 
can be recursive, propagating through the paths) "and (c3) transforming each of the at 
least one access control rules affecting each path into a statement indicating who is 
granted and denied access to the path;" (pg. 183, section 5.1 "Basic Features of the 
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Access Authorizations" paragraph 3, wherein the authorizations are indicative of who is 
granted or denied access, including groups) 

"and (d) storing each path and the corresponding value expression in a table;" 
(pg. 186, Figure 5, wherein the access authorizations are kept in a table) "wherein the 
corresponding value expression is utilized during access control evaluation to determine 
whether a user is allowed to access a node in the structured document." (pg. 186, 
Example 5.1, Figure 5, Algorithm 6, wherein the "Sign" column indicates the subjects 
who are granted access to each path expression associated with an object, used in the 
evaluation of views directed at a user) 

"wherein the value expression is an executable statement utilized during access 
control evaluation to determine whether a user is allowed to access a node in the 
structured document." (pg. 186, Example 5.1, Figure 5, and Algorithm 6, wherein the 
"Sign" column indicates the authorization for objects, as indicated by a path expression, 
that a user holds, as indicated in the subject column. A user is given authorization after 
Algorithm 6 is executed, determining the view returned to a given user accessing an 
object) 

As per claim 37, Damiani teaches "A computer readable medium containing 
programming instructions for providing path-level access control to a structured 
document in a collection stored in a database, wherein the structured document 
comprises a plurality of nodes" (see Introduction, pg. 171). For the remaining steps of 
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this claim applicant(s) is/are directed to the remarks and discussions made in claim 36 
above. 

Response to Arguments 

5. Applicant's amendment, see page 16, filed 8/30/2006, with respect to the 
objection to the claims have been fully considered and are persuasive. The objection to 
the claims has been withdrawn. 

6. Applicant's amendment, see page 17, filed 8/30/2006, with respect to the 
objection to the specification have been fully considered and are persuasive. The 
objection to the claims have been withdrawn. 

7. Applicant's amendment, see page 17, filed 8/30/2006, with respect to the 
rejection of claims 11-29, 33-35, and 37 under 35 USC 101 have been fully considered 
and are persuasive. The rejection of claims 11-29, 33-35, and 37 under 35 USC 101 
has been withdrawn. 

8. Applicant's arguments with respect to the 35 USC 102(b) rejection of claims 1-37 
have been fully considered but they are not persuasive. 

a. Applicant's argument is stated as Damiani does not disclose that the 
"access authorization" is an executable statement. 

In response to the argument, Examiner respectfully disagrees. In the 
Damiani reference, the access authorization is provided by an access 
authorization made up of a subject, object, action, sign, and type columns. When 
a client wishes to access an object, the path expression is read from the table. 
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Using Algorithm 6 on page 189, the computer view reads in the data from the 
access authorization table to determine the view to be returned to a user. The 
sign indicates a denial or allowance of access by a subject to an object indicated 
by the path expression. The data from the access authorization table is read in to 
be executed by the algorithm, and resembles an executable statement. 
Therefore, Damiani teaches that "access authorization" is an executable 
statement. 

b. Applicant's argument is stated as Damiani discloses an access 
authorization as both a value expression and the access control rule recited in 
claim 1, and cannot be construed as disclosing both elements of claim 1. 

In response to the argument, Examiner respectfully disagrees. As outlined 
above, the value expression is disclosed in Damiani is being composed of the 
subject and sign column of the table, which are read into an algorithm to 
determine the view given to a user, based on access authorization. The access 
authorization table controls the access control policy of the system, and within 
the access authorization table, each row represents an access control rule each 
subject, or client, follows with respect to access authorization. The value 
expression is disclosed above to be the individual data points within the table, 
while the access control rule is disclosed to be a row of the access authorization 
table determining access rules for a subject. Therefore, Damiani discloses the 
access authorization table being an access control policy of claim 1 , composed 
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of rows of access control rules and containing value expressions to be executed 
by an algorithm to determine access authorization. 

Conclusion 

9. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

10. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Dangelino N. Gortayo whose telephone number is 
(571)272-7204. The examiner can normally be reached on M-F 7:30-4:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Tim T. Vo can be reached on (571)272-3642. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Dangelino N. Gortayo Tim T. Vo 

Examiner SPE 
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